High-Tech Bridge Security Research Lab discovered vulnerability in Microweber, which can be exploited to delete arbitrary files and compromise vulnerable system as a consequence.

1) Improper Access Control in Microweber: CVE-2013-5984Vulnerability exists due to improper access restriction to "/userfiles/modules/admin/backup/delete.php" script and insufficient validation of user-supplied input passed via "file" HTTP GET parameter. A remote unauthenticated attacker can delete arbitrary files on the target system with privileges of the web server using directory traversal sequences and NULL byte. The exploitation example below deletes the application's configuration file "config.php":http://[host]/userfiles/modules/admin/backup/delete.php?file=../../../../../conf ig.php%00After deletion of the "config.php" file the application will suggest to re-install it from scratch when accessing "/index.php" file. Further exploitation of this vulnerability allows the attacker to reinstall the application and get full administrative access to it. After successful re-installation the attacker can use "Admin Console" module of the application to execute arbitrary PHP code on the target system. Simple exploit below displays output of "phpinfo()" PHP function after successful re-installation of application:POST /module/ HTTP/1.1module=admin%2Fconsole%2Fterm&data-type=admin%2Fconsole%2Fterm&id=mw _exec_term_command&class=+module++&exec_command=cGhwaW5mbw==&exec_command_params =MQ%3D%3D

Solution:

Update to Microweber version 0.830

More Information: https://github.com/microweber/microweber/commit/9177d134960c24cb642d5cf3b42a1fba286219cc

Have additional information to submit? Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.